HIPAA – The Health Insurance Portability and Accountability Act focuses on three key criteria for handling Protected Health Information (PHI): Availability, confidentiality and integrity. This blog post focuses on availability as it applies to HIPAA applications and HIPAA data.
Availability means that PHI is always available, accessible and never lost. When a patient arrives at the emergency room at three o’clock in the morning, the electronic health records need to be available so the physician can address the emergency with all of the patient’s records at her fingertips. Patient records in the health care world is no longer a 9-5 job – and one of the main drivers behind electronic health records (EHR) is the portability and availability of patients’ records to health care providers around the clock.
Availability also means that PHI isn’t lost. HIPAA and the HITECH Act make Covered Entities and Business Associates responsible for making sure PHI isn’t lost. For electronic records, this means offsite data backups are imperative and offsite disaster recovery is strongly recommended.
So what does “availability” mean from a computing and application infrastructure? I like to look at availability from 2 perspectives:
Disaster Prevention is typically thought of in terms of “High Availability” – or redundant systems to assure that there is no single point of failure on the delivery of the application or data. Examples of high availability at the data center level include high availability power delivery through redundant generators, uninterruptible power supplies (UPSs), power distribution units (PDUs), and redundant power supplies in the servers. With high availability power, the failure of any element (generator, UPS, or power supply) does not affect the availability of the application – since the entire infrastructure is redundant.
Redundancy can also be delivered in the cloud server platform. For example, unlike many public clouds, Online Tech’s managed cloud servers are running on redundant hardware hosts with multiple power supplies, multiple network connections to SANs, redundant controllers and redundant RAID drives. Again, any hardware failure or even complete shutdown of a hardware hosts will not affect the availability of the application and the PHI data.
Disaster Recovery is typically thought of in terms of Recovery Time Objective (RTO) and Recovery Point Objective (RPO). RTO is the amount of time it takes to spin up the servers, network, application and data as a separate data center in the case that the application is shut down from a disaster. RTOs can range from minutes to weeks depending on the technology selected. RPO is defined as how close to the disaster the data can be recovered, which is tied to how often the data is backed up. If backups are made every night, then the RPO is 24 hours (up to 24 hours of data can be lost). If continuous replication is used, the loss may be as short as a few minutes. The shorter the RTO and RPO, the better for most businesses.
As a minimum, we recommend that all HIPAA applications use offsite backup for their data. That way, if the production data center has a disaster or is destroyed, the PHI isn’t lost. The backup is stored at a second data center that is located a significant distance away to assure the same disaster doesn’t strike both sites. In the Midwest, for example, best practices dictate a geographic separation of 50 miles between data centers. Online Tech’s data centers are 53 miles apart on separate power utilities and are interconnected with high speed fiber to assure timely replication between sites.
For critical PHI, we recommend warm site disaster recovery between data centers.Several years ago, warm site disaster recovery was difficult and expensive to achieve. However, with the advent of cloud computing, and disaster recovery as a service, disaster recovery has become very cost-effective and easier than ever. Our service provides offsite disaster recovery for cloud servers with an RTO starting at one hour.
So when you think about meeting the HIPAA availability requirements for your health care applications and PHI, I’d suggest you think about it in terms of disaster prevention (high availability) and disaster recovery and ask yourself two key questions:
How you answer these questions will be critical to how you comply with the availability criteria of HIPAA and the HITECH Act.